httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@topsail.org>
Subject Re: sigh. iis...
Date Sun, 04 Jan 1998 06:02:06 GMT
Marc Slemko wrote:
> 
> Looking at IIS some more,
> 
> http://myserver/cgi-bin/mycgi.exe/../../foo/ will access the same thing as
> http://myserver/foo/
> 
> That's kinda broken, no?
> 
> Only problem is that Apache does it too.
> 
> With Apache, it logs it as /cgi-bin/mycgi.exe/../../foo (IIS doesn't).
> This means that anyone can sneak around any billing based on logfile
> analysis.
> 

Are you saying it does this even without a ScriptAlias directive? That's
not good.

> NS enterprise 3.x seems to just deny all requests with a /../ in the
> request anywhere.

-- 
chuck
Chuck Murcko            The Topsail Group             West Chester PA
USA
chuck@topsail.org

Mime
View raw message